Device Security: Don’t Count on Users
When it comes to device security, companies need to be more proactive in baking in security to their software development life cycle
COVID-19 forced businesses to think about cybersecurity in new ways, which was to be expected, as organizations had to ensure that remote workers had secure network connections and security teams had to address risk in new ways. What may not have been anticipated was the coronavirus impact on consumer behavior and cybersecurity. For example, a Unisys study found that 58% of consumers have a heightened awareness of personal security and 41% worry about a data breach while working remotely.
However, consumers still aren’t very good when it comes to managing security on their own, and much of their security worries during COVID-19 times surround the devices they use.
“The greater number of connected devices being added to a network has also been a cause for concern, as this increases the threat surface, especially as many are low-cost consumer devices with little or no built-in security,” said a report from Irdeto. “Consumers can take measures to boost cybersecurity themselves, and device manufacturers have a part to play by ensuring more robust built-in security protocols.”
Getting Manufacturers Onboard
IT and security teams want better cybersecurity. Consumers want better security—and not just for themselves, but also for the small businesses that they own and operate. However, SMB owners don’t have the time, expertise or budget to handle the increasing and complex security needs that are necessary in today’s business world. This is why manufacturers and developers need to step up security on the device development side.
A new report released by the World Economic Forum Platform for Cybersecurity and Digital Trust emphasizes the need for a better relationship between cybersecurity and tech development.
“There is a serious imbalance between the “time to market” pressures and the “time to security” requirements for shiny new products and gadgets,” Algirde Pipikaite, industry lead, World Economic Forum Platform for Cybersecurity and Digital Trust, said in a formal statement. “With the rapid increase of cyberattacks, companies need to prove to consumers that their data is secure. As the market shifts, we expect to see greater investment in companies prioritizing security and their longer-term success.”
Imbalance Between Security Needs and Market Release
“Today there is a serious imbalance between the time to market and the time to security. Market forces pressure for shiny new products and tech gadgets or applications, they care little about the security embedded in a new technology,” the report stated.
It’s an attitude that needs to change, however, as consumers shift their priorities. With a greater understanding of the importance of cybersecurity—especially literally brought home during COVID-19 remote work—and the increased emphasis on data privacy, consumers are going to demand devices with security protections baked in. And just as many consumers stop doing business with a company that has suffered a serious data breach, they will soon begin making their technology-purchasing decisions based on what company offers the most secure product with the least amount of user effort.
How DevSecOps Needs to Improve
Security not only has to be a higher priority in the DevOps process, but it also needs to come in earlier, rather than as a last-minute add-on or afterthought.
“Security must be part of each stage of your software development lifecycle,” wrote Antony Edwards in Help Net Security. “Product managers need to ensure that requirements, epics, and user stories have security acceptance criteria. Technical architects need to ensure that designs are reviewed from a security perspective (ideally by a security expert).”
Development teams need to break down the security monolith, Edwards added, and recognize that security means different things to different entities. What the product managers may see as important might not meet the needs of end users. The World Economic Forum Platform breaks what it calls cyber essentials into three sections: Organizational Security (meeting the cybersecurity culture of the user organization); Product Security (how well the built-in security meets security and privacy needs); and Infrastructure Security (the impact of third parties and data governance). Security is a shared responsibility, and engaging team members along every step of development and also understanding what users want and need will bring forth devices better-equipped for the security challenges ahead.
COVID-19 has increased our dependence on devices and technology, and with remote work likely becoming the model workforce rather than the exception, good security is an urgent proposition. Getting products to market quickly in this environment might work be okay for today, but consumers will quickly turn to the products that take longer to come out but have security baked in.
